RSSCategory: security-privacy

How to Remove Webroot Secure Anywhere from Mac OSX

October 20, 2014 | By | 1 Reply More

Reading time: 2 – 2 minutes

I always thought that getting an Antivirus for your system was for your own security but when this sense of security becomes an annoyance and acts like a malware, this is where you draw the line.

When I got this Macbook Pro as a gift, it comes with this software called Webroot Secure Anywhere for Mac, thought it was a good deal having it for 6 months trial. But things get awry when the trial runs out and it suddenly acts up popping up on my computer screen just about everytime asking me to renew. It didn’t stop from there, I can’t even force quit it and delete it directly from my applications folder.

It freaked me out and I had to dig deep just to find some forums that will shed light on the matter. I had to read more on the internet, most don’t work at all. Here’s what I’ve come up with as a solution to remove Webroot Secure Anywhere for Mac.

  1. Go to your “Applications” folder the Mac.
  2. Open the “Utilities” folder and find “Activity Monitor” and click on it.
  3. Find the Webroot Secure software in the “Activity Monitor”, click on “Disk”, once you find it there, click on the X on the upper left hand corner of the dialogue box just below the colored options yellow, red, and green, that X means to kill the process.
  4. Process #3 must be done quickly so you need to have your “Applications” folder open. After killing the process, go to your “Applications” folder and right click on the Webroot Secure app and move it to trash. If you’ve done it really fast enough, Webroot will not reactivate back after you kill the process instead a dialogue box will appear which will ask you if you want to UNINSTALL WEBROOT SECURE, so choose uninstall and your problem will be over.

I hope this short tutorial helps anyone in anyway that is having serious trouble with Webroot Secure. Never again that I would install this crap.

Malware on iTunes Gift Certificate Email Notices

May 9, 2010 | By | 5 Replies More

Reading time: 2 – 4 minutes

I haven’t bought any gift certificate from iTunes ever so I was fascinated when I came to read an email allegedly coming from iTunes informing me of a purchase for $50 worth of iTunes gift certificate.

It was strange because the email was sent to my personal ISP email address via Outlook Express which I rarely even use for more than two years. The email came from “iTunes Store” (online.services@itunes.com) which looks quite believable because of the itunes.com domain.

The email reads,

“Hello!

You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.

Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.

iTunes Store”

The email is really very informal so it’s fishy in other words (see attached screenshot of the email below).

Malware on iTunes Gift Certificate Email Notice

Again, my curiosity hits me so I tried to download the attachments but it was blocked by my Win XP2 OS so I didn’t pursue with the idea.

“Windows normally blocks suspicious emails if your program is running in a strong security mode.”

Most files that contain script or code that could run without your permission will be blocked e.g., files with extensions ending in .exe, .bat, and .js.

The attached file on the email is in .zip format so it’s likely that the hidden file which could be an executable (as most malware does) was compressed into a zip file for easier distribution.

Windows Security Warning

It’s good however that Windows was able to detect the malicious file before it was even downloaded since in Yahoo as I’ve experienced before, although they scan the attachment prior to download using Norton, my post about a Facebook password reset email confirmation containing malware as attached file was not detected until after a few days.

Another lesson learned so far. Always check the veracity of an email before downloading any attachment and if found suspicious, delete them right away. End of story.

Got something similar to share? Let’s talk about it in the comments section.

Security Alert: “Biet tin gi chua, vao day coi di” Virus on Yahoo Messenger

April 18, 2010 | By | 2 Replies More

Reading time: 3 – 5 minutes

The Vietnamese phrase, “Biet tin gi chua, vao day coi di” may not sound familiar to you but once you get this message from one of your Yahoo Messenger contacts, then it would have been right if you’ll inform them that there was a virus sitting on their computer sending you this message automatically without them knowing it.

Yes, you’ve read it right. It was a virus and I got the same message via my messenger client and into my mobile phone as a text message when I was offline.

Yahoo Messenger Virus

Biet tin gi chua, vao day coi di through Google Translate in English means, “Know what sour news, the day regarded mobile” although I’m not sure if it was the correct translation, only native Vietnamese speakers can actually make the correction. Whether the translated phrase literally makes sense or not, technically it does because you have to advice your contact that he needs some serious PC disinfecting job to do.

It’s weird that this issue can be traced back 2 years ago yet it still comes back to this day hunting innocent users.

If your ever received this message which normally comes with a link to a certain website, don’t fret because your PC is safe (unless you didn’t click on the link) but your contact’s isn’t.

Let them know that they need some total computer scanning to do but may have to update their antivirus first. If the threat isn’t detected after the scan, they may have to edit the registry although I don’t recommend doing it. If you’re not sure of what you’re doing, you may do it at your own risk so be extra careful.

A certain forum cited some steps however the language is in Malay so I opted to translate the text through Google and here it is:

Firstly to remove the virus: –
»Disable System Restore
»Try to update anti-virus scan online or in www.bitdefender.com (use internet explorer)
»Complete virus scan if still available …then reboot in safe mode computer press F8.
»Go to Start» Run »type regedit» OK
navigate to this value: –

find and delete the value.

HKEY_ALL_USERS »Software» Microsoft »Windows» Current Version »Run [last directory]
see the right value »” Yahoo Messenger “=” C: WINDOWS system32 SSVICHOSST.exe “

with

HKEY_LOCAL_MACHINE »Software» Microsoft »Windows» Current Version »Winlogon [last directory] see the right value»
“Shell” = “Explorer.exe SSVICHOSST.exe”

note: SSVICHOSST.exe <- worm

then .. restore the default registry value ..
navigate to

HKEY_ALL_USERS »Software» Microsoft »Windows» Current Version »Policies» System [last dir] »set value” DisableTaskMgr “=” 1 ”
HKEY_ALL_USERS »Software» Microsoft »Windows» Current Version »Policies» System [last dir] »set value” DisableRegistryTools “=” 1 ”
HKEY_CURRENT_USER »Software» Microsoft »Windows NT» Current Version »Policies» Explorer [last dir] »set value” NofolderOptions “=” 1 “

exit regedit .. »Restart PC ..
I already remove this on windows XP… to make it easier for you when you open regedit use ctrl + f then type regedit SSVICHOSST.exe

See if you got this file or not … then follow the instructions.

The above instructions are copy-pasted “as is” with minor word editing for coherence.

Another word of advice, make sure you’re using a separate spyware program other than an antivirus for tougher protection.

HOW TO: Remove Fake Antivirus Software

March 24, 2010 | By | 11 Replies More

Reading time: 6 – 9 minutes

I have mentioned on my post about rogueware attachments on Facebook support emails that I’ll be sharing to my readers how I was able to remove the fake antivirus in minutes without any complicated steps or registry editing involved so brace yourselves because this article answers that.

The rogueware or fake antivirus is most likely in this file format (as other files may vary), Facebook_details_348.exe, an executable file which when opened would initiate a fake scan in progress that is quicker than a legitimate antivirus scanning process which when completed normally shows a scan results popup screen showing non-existing threats on your system deceiving you to purchase a license in order to get rid of the malicious threats.

XP Smart Security Virus

Once you fall into this trap, these scammers will then take your money as you pay or could be worse, steal your financial information like credit cards and even your identity.

Xp Smart Security Alert

Along side the fake scanning screen, you’ll be bombarded with endless dialogue boxes and pop-ups on your screen and if you’re a little panicky seeing these unrelenting messages bothering you that something horrible is happening on your computer, you’ll eventually fall into their scheme so you better calm down.

Xp Smart Security Balloon Alert

The known fake antivirus or anti-malware that I’ve encountered and was attached on two of my email accounts was the XP Smart Security 2010. How did I get rid of this rogueware?

Removing XP Smart Security 2010

In order to remove this threat, a Trojan to be exact, always make sure that your antivirus software is running on your system tray all the time and is activated at Windows startup. This will ensure that whenever a virus or malware may attack the system, you can immediately run a virus scan without any problem because if your antivirus is not running during your computer sessions, chances are high that when a fake antivirus software attacked, they will immediately take over the Windows Security Center settings of your PC thus deactivating your virus protection before you could even run it while at the same time holding your Windows Firewall helpless.

My personal antivirus software (AVG 9.0 Free version) was running at the system tray together with Spybot Search and Destroy when XP Smart Security 2010 initiated the unwanted attack. It immediately held hostage the Windows Firewall and the Virus Protection settings in Windows Security System by turning it off.

Turning them on will not be possible thus your only option is to get rid of the fake antivirus before everything goes back to normal.

I was able to do a quick search about XP Smart Security 2010 online before the virus has disabled all browsers on my computer. Many write-ups about it are available online but the presentation is vague and often times promotional with affiliate links to software vendors so what I did was to trust my instincts and my antivirus.

Since my AVG 9.0 is running at the background, although it wasn’t able to block the execution of the rogueware before it could even initiate changes in the registry which could have been better but I guess it was one of the drawbacks of having something for free when real-time protection is not guaranteed but nevertheless, I was able to run AVG while the malware is doing its dirty trick.

AVG was able to immediately track the threats however due to some power failure, my computer suddenly turned off and since I have no power supply backup on my desktop, I simply waited for the electricity to resume and when I rebooted the computer, the fake antivirus was gone as well as the annoying pop ups.

See the attached screenshot of the scanned threats (Trojan horse) from AVG and notice the “Reboot is required to finish the action” remark.

AVG Scanned Threats on XP Smart Security 2010

The file locations correspond to the registry entries being overridden during the attack based on my screenshot taken from Spybot Search and Destroy, my favorite anti-spyware.

XP Smart Secuity effect on registry as detected by Spybot Search and Destroy

There are definitely a lot of fake antivirus lurking on the web acting like predators waiting for their next prey so be vigilant and learn from this real life security tip.

Summary of the Tips to Keep your PC Protected from Fake Antivirus Attacks

  1. Keep your antivirus software running on the background at all times while your computer is on.
  2. Be mindful of everything you download online. Be it attachments from emails or any other files that would be stored on your hard drive. Scan these files whenever possible after every download since Firefox does it during the downloading process however in the case above, attachments usually zipped files are sometimes overlooked by Norton Antivirus on Yahoo mails or in any email providers including paid ones so be careful when extracting them on your folders if you’re not sure what it was especially executable files or filenames with .exe as extension, don’t open it.
  3. Choose the best antivirus software and spyware for solid protection. Free ones like AVG 9.0 and Spybot does a great job in protecting my PC for years. You might also want to try downloading Remove Fake Antivirus 1.63 here although I really cannot vouch for this one because I’ve never really tried using it unless I’d encounter another rougeware in the future.
  4. Finally, always check your antivirus for updates so if anything happens in the future, you know that your software can handle any trouble.

I hope that you’ll like this post and hopefully would love sharing it with your friends and family. If you have similar stories and tips, please share them here. I would appreciate it.

Virus Alert: Facebook Password Reset Confirmation Support Message Attachments

March 22, 2010 | By | 15 Replies More

Reading time: 3 – 4 minutes

There had been a lot of reported incidents this week about Facebook password reset confirmation emails containing an attachment which was an executable file that once opened would trigger a Trojan attack on your computer thus running the rogueware or fake antivirus, anti-spyware or anti-anything software for purpose of deceiving an alarmed user by showing non-existent threats from scan results and endless popup or balloon messages to make them pay for a license in exchange of a trouble-free system.

The recent attack was coming from Facebook’s email database that was sent to thousands though I’m not sure with the statistics but it’s amazing to know that even my domain email which is not at all connected to Facebook also received the same email below (copy pasted as is):

Dear user of facebook,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
Your Facebook.

With the actual email screenshot shown:

Facebook Password Reset Confirmation Support Email with Rogueware Attachment

It’s pretty clear though that it’s not a legitimate email because of the lack of appropriate heading and salutation but surprising because it wasn’t marked as “Spam” by Yahoo Mail and my hosting email. If you aren’t careful enough or if curiosity hits you, you’ll be tempted to download the attached zip file. Please note that the above email’s addressee wasn’t mine but this email landed on my rocketmail.com email account.

Normally, the file name is Facebook_details_348.zip. The built-in Norton Antivirus scanner on Yahoo Mail wasn’t able to detect it as a virus yesterday but when I’ve tried downloading it today, it was no longer the case. Perhaps, Norton already knew what it was.

If I’m not mistaken the executable file enclosed was Facebook_details_348.exe (since .exe files cannot be uploaded on most emails due to risks associated with this type of file) which when opened or executed will initiate the rogueware, XP Smart Security 2010 but may change its name depending on the OS it finds on your computer e.g., if you have Windows Vista on your system, it would be Vista Smart Security 2010.

I certainly have direct experience on this scenario so I’m sharing it now to all my readers. My PC is in good condition after the untoward fake virus attack. I did nothing special about it so if you want to know how I was able to remove the fake antivirus in minutes without any complicated steps or registry editing involved, stay tuned-in by subscribing to this blog via email or RSS and watch out for my post about it.

Updated 24 March 2010

Here’s my follow-up post regarding this incident, How To Remove Fake Antivirus Software.

Phishing Scam Links from Twitter Direct Messages

November 12, 2009 | By | 4 Replies More

Reading time: 2 – 2 minutes

This post may come to you as something that isn’t new however I just thought that it may serve as a reminder whenever you get direct messages on Twitter and tempted to click on the links.

It’s not once or twice that I have received DMs with links pointing to phishing sites and this inspired to write how-to posts on setting up Firefox and Google Chrome for secured browsing because having the right settings has indeed saved the day for me.

SXSWi 2009: Sketchnotes: Scam SchoolIf you get to encounter this link http://blogger.djhxkcs.com/ on one of your DMs, don’t click it. If you ever clicked this unknowingly, you’ll be prompted anyway if you have the right browser settings. Usually, when these bad guys send me links like these, I broadcast them on Twitter and unfollow them right away. I let people know that they are sending out links to phishing sites so people who don’t know will definitely avoid them.

Once and for all, these schemes should be stopped for good if not minimized. If you ever get encounter such fake web pages hidden on shortened links on Twitter, do something about it and always keep your browsers secured.

For Internet Explorer 8, you can set up secured browsing via Safety tab and make sure that the SmartScreen Filter isn’t turned off. This way, you’ll be safe while browsing the internet and be always alerted whenever you come across a suspicious attack site.

Gizmodo Scareware Fiasco and My Two Cents

November 1, 2009 | By | 4 Replies More

Reading time: 4 – 6 minutes

It seems like everyday, thousands of online users are falling into the hands of crooks either by becoming a victim of online fraud, identity theft, phishing, hacking, and viruses.

Gizmodo iPhone & iPod Touch WebclipRecently, cyber criminals had once again proven that nobody on the web is safe particularly internet users. Gizmodo, a popular gadget blog became the host to scareware spread out that affected most of their readers (without them initially knowing it) through an initiated alert from an advert encouraging users to download fake software otherwise known as Scareware or Rogueware.

Scareware operates using tricks by inflicting fear through deceit convincing users that their system has been infected with a virus and that they need to download the software for protection.

Once you fall into this trap, the malware will then be executed on your computer thus creating system trouble. Some malware can be very intrusive and the possibility of hacking personally identifiable information on one’s system cannot be discounted. Keystrokes can be recorded in an instant by some forms of malware that can lead to the latter case or normally termed Identity Theft.

I’m a reader of Gizmodo, in fact, I’m a subscriber but I only read their posts via RSS and since they do publish a lot of articles on a given day, I really can’t cope up with it so I just simply skim through the headlines. The day the scareware went out, I wasn’t there but If I was, I wouldn’t even bother downloading something from their site even if it’s a well-known technology blog. For me, it’s not an exemption.

I had my fair share of experience and had tasted Conficker during its course, well the main reason why my system had acquired it is because I deactivated the Antivirus for several days and failed to download Microsoft’s Security Update but other than careless mistake, so far, I’m good.

Tell you what? I’m going to share some simple tips which would definitely save you from any Scareware plot.

  1. If you’re on a website that is offering software downloads and is not basically the software’s official distribution site (e.g. AVG.com, Avast.com, etc.), don’t download anything. Although there are software download sites that have been around for some time which have already gained your trust, it doesn’t hurt to visit the software developer’s site where the software originates. Once you have tracked the software’s whereabouts similar to knowing a person’s background, you’ll surely get the hint. If the software has not long been updated, then better think again before you download because you might be harvesting some rotten eggs.
  2. Avoid clicking banners and popups that invite you for a free scan because this is where most malware hide. Fight your trigger happy click tendencies.
  3. Hover on links and look into your browser’s status bar before you click them. This way, you’ll get an idea whether the link will redirect to some URL that is somewhat suspicious. This simple no-brainy trick has helped me get rid of a Paypal Phishing attack on my email some weeks ago.
  4. The are cases wherein you may have already downloaded the software and your browser has not detected it as malicious, before you even run the file, make sure that you have scanned the file with your Antivirus software because sometimes, there are executable files that are left undetected by browsers but they seem to appear normal yet the moment you run them, you’ll already infected. This step holds true for all types of files you download online.
  5. Don’t run downloads directly from your browsers especially executable files or .exe files or binary. Save them instead on a separate folder on your computer then scan it before you execute the file.
  6. Get rid of unfamiliar file extensions unless you have researched on it before you download.
  7. Have your browsers and Antivirus software regularly updated.
  8. Scan your system regularly.
  9. Keep abreast of the latest news on Internet and Computer security by visiting your Antivirus software provider’s website or by subscribing to their RSS feeds, related sites, blogs and forums.
  10. Always be in the know. You may not remember all of these in one sitting so it pays to bookmark and spread the word so that someone can remind you if you’ve missed out on something.

These are my two cents on how we can prevent ourselves from becoming a victim of scareware and cyber criminals. These are all based on my personal experience. If you have something to share, please do so at the comment’s section.

Avoid Web Forgery Using Firefox

October 30, 2009 | By | 10 Replies More

Reading time: 2 – 4 minutes

In addition to the many Internet security related measures I have written in the past, this succeeding post will provide another vital information that would benefit not just Firefox users but also those who were thinking about how your browser can help keep your personally identifiable information safe and secure whenever you surf the web.

I normally use Firefox as an alternative (among the other three well-known browsers) despite some performance issues I have with it because of its tight built-in Phishing and Malware Protection which I think is indispensable.

If you ever clicked on a link especially on IMs, chat rooms, social networking sites like Twitter, Facebook, etc. while using Firefox then the image below popped up on your screen, it simply means that you are about to be a victim of Web Forgery. And what is Web Forgery?

Web Forgery on Firefox

Web Forgery on Firefox

Web Forgery, otherwise known as Phishing, is a form of identity theft that subjects a user to a fake website (that resembles the look and feel of a legitimate one) in order to steal sensitive information normally associated with financial matters such as credit card numbers, pin numbers, bank account details and other personally identifiable information.

A Paypal Phishing Attack that happened to me a few weeks ago is a concrete example on how Phishing Attacks operate (usually via email). Once you click on the link, it then brings you to the trap (which is the fake website) and the moment you give them your vital information, you’re screwed because they will scrape out all your money in the bank, in your credit card or in your Paypal account.

There are other instances wherein you’ll encounter that same message above especially when you run into Attack Sites. Attack Sites are websites that usually infect your computer with malware or it can turn a regular website into an Attack Site without the webmaster knowing it. Malware is normally passed on your computer if you download or install software from unknown sources or it can be simply be transferred if you come across such sites so if you’re browser can detect these types of threat, then I’d suggest that you don’t proceed.

More about phishing and malware protection via your favorite browser in my succeeding posts, stay tuned.

Beware of Paypal Account Blocked Emails

September 17, 2009 | By | 7 Replies More

Reading time: 3 – 5 minutes

If you’re a Paypal account holder then you better read on. As a morning routine, I normally start-off the day checking my emails and filing them out after reading them on my folders.

As part of the task, I also check the spam folder once in a while because I had it set to auto-delete only after two weeks because sometimes legitimate mails go straight to it which of course most of you are aware.

I was surprised when I suddenly got this email on my spam folder with the subject, “Alert: Account-Blocked!!!” which claims to be from “Paypal” but the sender email address was paypalalert@security.2internet.com which also uses the Paypal logo with a blurred or unrecognizable TM mark (see attached screenshot).

I continued to read-on and it says,

Dear Customer,

Your paypal account has been blocked for security reasons. Hence we request you to unblock your Paypal account by clicking on the link below immediately for uninterrupted services.

Paypal Phishing Attempt Email

Paypal Phishing Attempt Email

Alright, while there had been security issues with Paypal before although at some point it may have something to do with hackers inserting key loggers into your computers to hack it by recording every keystroke that you do, it’s not impossible that they can get your Paypal account password.

But how can this be possible? If you are click happy with links especially those that are attached on your email whether it came from your inbox or spam folder then better think again. Vigilance is the key to safety.

If the sender asked you to click on the link especially if it’s suspicious, don’t do it because if you do, chances are you might be introducing a malware to attack the security of your computer thus compromising your privacy and valuable information not just simply wiping out your system with viruses. This had happened a lot in many instances that history has written about so don’t fall into the trap.

In order for you to get an idea on where the links are heading without clicking them, simply hover your cursors over the link while at the same time looking at the lower left hand corner of the browser window. There you will see the exact URL of the link and if you suspect something fishy or nasty redirect is going to happen do not continue. Firefox has the Interclue add-on that provides information about the links landing page plus other important details.

Based on the email I have received, the email address comes from paypalalert@security.2internet.com. The clue is that the domain where the email came from is security.2internet.com not paypal.com and even if they do use “Paypal” as the subject line, simply don’t rely on it because Paypal does not use undisclosed-recipients.

A few minutes after finalizing this post, Paypal has confirmed that the email I have received was a phishing attempt designed by identity thieves trying to trick me into revealing my password and other personally verifiable information through phishing emails and fake websites (see screenshot below).

Paypal Phishing Attempt Email Submission Response

Paypal Phishing Attempt Email Submission Response

If you ever encounter something similar, a phishing email or a fake email, forward it to spoof@paypal.com and delete it. Don’t be the last to know. Stop fraud.

A Look into the Future of Viruses and Online Security Threats

August 24, 2009 | By | 1 Reply More

Reading time: 3 – 4 minutes

Most of us may not care so much about online security as long as we have an antivirus software installed on our computers at home but this talk from Computeractive and David Emm from Kaspersky Labs share how the types of threats facing home users are changing overtime.

Among the highlights of the interview discusses the dangers of the internet—the types of dangers we encounter, how vulnerable we can be to those dangers and how we can go about protecting ourselves from such threats online including some tips on how we can safely secure our kids from unsolicited online information.

Here are some of the salient points covered.

The dangers of being on the internet and all the risks that are out there for computer users are not over hyped simply because online or offline, we are vulnerable of exposing ourselves from any risks if we will not take some necessary precaution.

Why should people pay for anti-virus software? According to David of Kaspersky, a whole range of technologies sets apart paid versions from free ones which only focus on the traditional antivirus and technology much wider than that can be obtained from paid products along with dedicated customer support. While free antivirus software may not offer free customer support however there are forums which can help users. I certainly do not agree that paid products are generally superior, some of them may be advanced in some ways but there are a lot of free antivirus softwares that really does a good job in providing computer security.

The biggest threat that we have online are Trojan horse programs—launches undesirable harmful operation when run which can normally harvest user identifiable information like email addresses, credit card numbers with most of them having key loggers built-in that monitors keyboard actions as we type.

And how do we counter Trojan programs than pretend to be security softwares? It’s important to know what your chosen security product is and if something comes up online that purport to be offering you protection, resist the temptation of downloading them. I couldn’t site anything more appropriate as an example for this than my post, “Is Free Antivirus Software No Good” which focuses on the utterly infomercial blog post generalizing that free antivirus softwares are crap with the blog author blaming it on free products.

What are false positives? False positives are cases when an antivirus software pick up and provide warning signs about a website or files which you know are safe. David said that these false positives cannot be eliminated perfectly. He advises that whenever you encounter such, send it in to the lab.

How do you protect your kids from unsolicited online information? Users should rely on technology and common sense. Assign user specific rights and password or take as far as using tamper proof solutions such as specialized software.

There are pretty much thousands of ways to protect ourselves from the threats of the web but vigilance is the key to everything. Watch the video for the complete details of the talk and share in the comments your ways of protecting yourself from online threats.

Conficker Can Damage MP3 Players Not Just USB Drives: AVG Antivirus Software Detects and Removes Conficker From My ZEN Stone MP3 Player

May 9, 2009 | By | 7 Replies More

Reading time: 3 – 4 minutes

When I featured the post “What is Conficker and how to avoid it from infecting your computer?“, if you can recall, I have mentioned the preventive measures to avoid Conficker from infecting your PC and one of those is number 4 which reads, “Conficker can spread itself through removable drives like USB drives so be vigilant.”

Yes, this is so true. Now, how is this related to this post? Well, If you happen to own an MP3 player, an MP4, an iPod or whatever gadget you use that utilizes the USB cable, here’s the time to better think about its vulnerability to the Conficker worm because it can severely damage your player like what happened to mine.

First, let me tell you this. I have an MP3 player that I normally use as usual, play songs and transfer files from my PC to the device. Even before Conficker infected my PC (which of course is now Conficker-free based on this post, “How AVG Anti-Virus Software removed Conficker and saved my PC!“), I have had a problem with my MP3 player because it suddenly stopped working. It doesn’t recharge its battery, doesn’t play songs, its normal flickering light which is “yellow” when playing turned “red” which normally happens only for low-battery mode but the fact it became non-responsive worries me. Since my ZEN Stone MP3 Player is more than a year old, I assumed that it had been wornout so I didn’t bother fixing it anyway.

Until curiosity just came into me and tried to open the MP3 player again not because I was trying to make it work but hoping that I could recover all MP3 files that’s on the player. My curiosty paid off and was answered with facts. The Spybot Search and Destroy Spyware I use detected it as potentially harmful when opened and the AVG Anti-virus Software Free Edition I use detected it as a removable drive containing a malware which is definitely true.

My proof? I run the AVG Antivirus Software and guess what I’ve discovered? It has been infected with Conficker or Downadup alongside of which are Trojan horse Downloaders. See photo below showing AVG Antivirus Software detecting and removing Conficker from my ZEN Stone MP3 player.

AVG Antivirus software detects and removes Conficker from Zen Stone MP3 player

AVG Antivirus software detects and removes Conficker from Zen Stone MP3 player

You might want to ask what happened to my MP3 files on the device? It’s all gone corrupted. You can’t be thinking about backing-up the files first before running the scan. Why? You might want to avoid spreading Conficker worm in your system don’t you? The MP3 files are gone along with Conficker. Issue resolved. Wait, how about the lost files? Hmmm. Good question! Well, I wouldn’t be a geek if I haven’t recovered the files from the healed MP3, right? That’s for you to find out the next time you read this blog.

A suspected letter from a scammer to Software Critics

April 29, 2009 | By | 1 Reply More

Reading time: 4 – 6 minutes

In relation to my post “Beware of Swine Flu Domain Names“, I have mentioned that F-secure has compiled a list of these newly registered “swine flu” domains which include noswineflu.com which happens to be mentioned as well in news websites and other blogs.

I’ve also mentioned that,

“Black Hat SEO practices could be used behind unhealthy means of getting on top of search engine results as well as taking advantage of people and the current situation by selling fake drugs and all other sorts of evil cyber tactics” which can also be a possibility.

The post only mentioned noswineflu.com as a website which happens to sell a PDF file (an ebook) entitled “Swine Flu Survival Guide” for $19.95.

It has never said nor accused that the website sells fake drugs and is a black hat SEO. It only states the presence of lurking opportunists taking advantage of the Swine Flue scare.

In fact, I’ve listed the websites and blogs that have mentioned noswineflu.com in their articles.

FoxNews.com

Internet Scammers Ride Swine Flu’s Coattails…Another directs you to a Web site, noswineflu.com, which offers to sell you a “Swine Flu Survival Guide” for $19.95 — credit cards and PayPal accepted.

F-Secure has screenshots of the webpage of noswineflu.com.

Timesonline

Cybercriminals exploit swine flu fears with spam emails…Researchers at the security software maker F-Secure warned that one site, noswineflu.com, tries to con readers into buying a PDF called “Swine Flu Survival Guide” for $19.95.

The Washington Post

Scammers, Spammers Embrace Swine Flu News…F-Secure on its blog notes that at least one of the sites – noswineflu.com – tries to spoof readers into purchasing a PDF called “Swine Flu Survival Guide” for $19.95.

ShawnsTechSpot

Internet Scammers Taking Advantage Of Swine Flu Fears…Another email directs you to a web site, www.noswineflu.com, which offers to sell you a “Swine Flu Survival Guide” for $19.95. Please be warned that this is a scam and you will not get any type of guide. All you are doing is supporting the scammers.

The suspected letter sent to Software Critics is over the top and rather derogatory to this blog. See attached letter below:

A suspected letter from noswineflu dot com to Software Critics

A suspected letter from noswineflu dot com to Software Critics

If this is a genuine letter, then, I would like to hear the side of the website owner about this issue. I would even volunteer myself to be the instrument to tell everyone that the site noswineflu.com is legitimate when proven.

Again, Software Critics firmly believes that every consumer has the right to a free, accessible, and accurate information. And that no one should be deceived and manipulated with false advertisements and unproven claims.

Software Critics advocates truth and justice and holds accountable to its readers.

Beware of Swine Flu Domain Names

April 29, 2009 | By | 4 Replies More

Reading time: 2 – 3 minutes

While the Swine Flu outbreak (read Swine Flu Virus 101 for more information) has been all over the news worldwide, just in time before the news blew the center stage, it has been quite alarming as well in the internet world of domain name registration wherein most domain names with “swineflu” on it had been taken massively. In fact, F-secure has compiled a list of these newly registered “swine flu” domains.

Currently, there has been no detected spam site yet but watchful eyes are already on to these lurking opportunists taking advantage of the situation. Black Hat SEO practices could be used behind unhealthy means of getting on top of search engine results as well as taking advantage of people and the current situation by selling fake drugs and all other sorts of evil cyber tactics.

One proof of this came into public as F-Secure declares that there was this website, noswineflu.com (see homepage screenshot below including check out page.)

Swine Flu Guide

Swine Flu Guide

Swine Flu Survival Guide Checkout

Swine Flu Survival Guide Checkout

which happens to sell a PDF file (an ebook) entitled “Swine Flu Survival Guide” for $19.95. Why buy this ebook when you can have this information for free from the Centers for Disease Control and Prevention (CDC)?

Beware, be in the know and help spread the word!

How AVG Anti-Virus Software removed Conficker and saved my PC!

April 4, 2009 | By | 4 Replies More

Reading time: 4 – 6 minutes

Based on my previous post, “What is Conficker and how to avoid it from infecting your computer?”  I have mentioned that I experienced some vital signs similar Conficker or Downadup worm infection and what it can do to harm your PC and among these things are:

  • Automatic updates no longer working. (For Windows auto-updates)
  • Anti-virus software is no longer able to update itself.
  • Unable to access a variety of security sites, such as anti-virus software companies.
  • Random svchost.exe errors. (Of which I’ve seen on some folders within my PC)

Now, it has come to my knowledge after several scans and tests using AVG Anti-Virus Software and a stand-alone anti-virus scanner called “Stinger Conficker” (which was a product of McAfee and does a very slow scanning process yet wasn’t able to find detection), I came up with a conclusion that AVG Anti-Virus Software can fight Conficker worm and heal the infection easily. I’ve run the scan and left it running at the background on the system tray and when I checked the Virus scan results, I was surprised seeing that Downadup otherwise known as Conficker has in deed infected my PC!

downadup scanning ip addresses

downadup scanning ip addresses

AVG Anti-Virus removed Conficker or Downadup as scanned infection

AVG Anti-Virus removed Conficker or Downadup as scanned infection

These show that the above mentioned signs and those mentioned on the post, “What is Conficker and how to avoid it from infecting your computer?” are accurate and genuine. Software Critics commits itself to responsible and intellectual dissemination of information and are all based on real tests and user experience.

As the Admin of Software Critics, I am sharing to you this information because I believe that these could help since these are all backed up with screen shots taken from actual scan results. I’m not ashamed of admitting that my PC got infected otherwise this post would not be possibly shared to increase awareness.

Forget the blogs that mentions “these-and-that” kind of tutorials and say at the end, “do it at your own risk!” I’m a risk taker but I’d rather take the risk first than having the readers take the risk themselves because that is not taking responsibility of the information you are providing.

To strengthen the points of this post, I’ve made a video to show you exactly where the screen shots are taken from. All the information are laid down in simple ways and there’s no registry editing nor any tweaking is necessary. I don’t want complicated procedures as much as you do.

AVG Anti-Virus Software Free Edition is what I’ve used and it worked. Even if AVG Technologies would be able to read this post, how likely do you think they would give a paid license?

What is Conficker and how to avoid it from infecting your computer?

April 3, 2009 | By | 2 Replies More

Reading time: 5 – 8 minutes

The Conficker (also known as Downadup and Kido) infection is a worm that predominantly spreads via exploiting the MS08-067 Windows vulnerability(found in the RPC facilities) and has the ability to infect other computers via network sharing and through removable media. Microsoft has addressed the problem by releasing a patch to fix the Windows vulnerability though there are still many computers that do not have this patch installed. Hightened amount of legitimate concern remains under debate but if you are concerned, then let me walk you through the facts straight.

When installed, Conficker/ Downadup will copy itself to your C:WindowsSystem32 folder as a random named DLL file. It may also copy itself to the %ProgramFiles%Internet Explorer or %ProgramFiles%Movie Maker folder. Then, it will create a Windows service that automatically loads this DLL via svchost.exe, which is a legitimate file, every time you turn on your computer. The infection as a result will then change a variety of Windows settings that will allow it to efficiently infect other computers over your network or the Internet.

Once the infection starts running, you will no longer be able to access a variety of sites such as Microsoft.com, AVG.com and many other anti-virus vendors. It does this so that you cannot download removal tools or update your anti-virus programs. (Which similarly happened to me a couple of days ago but was able to detect it as a Trojan) And likewise these website won’t allow you because they have also detected you being a security threat or malware.

Infection of this Conficker worm may perform any of the following actions in random order:

  • Stop and start System Restore in order to remove all your current System Restore points so that you cannot roll back to a previous date where your computer was working properly.
  • Check for Internet connectivity by attempting to connect to any of the following sites:

o aol.com
o cnn.com
o ebay.com
o msn.com
o myspace.com

  • Attempts to determine the infected computer’s IP address by visiting one of the following sites:

o http://www.getmyip.org
o http://getmyip.co.uk
o http://checkip.dyndns.org
o http://www.whatismyip.com/

  • Download other files to be used as necessary.
  • Scan the infected computer’s network for vulnerable computers and try to infect them.

Some symptoms that may hint that you are infected with this malware are as follows:

  • Anti-malware software stating you are infected with infections using the following names:

o Net-Worm.Win32.Kido
o W32/Conficker.worm.gen
o Worm.Conficker
o W32.Downadup
o W32/Downadup.AL
o W32/Confick-A
o Win32/Conficker.A
o Mal/Conficker
o Worm:Win32/Conficker.B
o Win32.Worm.Downadup.Gen

(this list is helpful to determine if you are infected or not, what happened to my computer a couple of days ago have shown some vital signs I’ve cited in the next three bullet points below but looking from here based on the
malware’s extention, I have discovered that it was not Conficker but “Win32.VB.fnk” which is a Trojan)

  • Automatic updates no longer working.
  • Anti-virus software is no longer able to update itself.
  • Unable to access a variety of security sites, such as anti-virus software companies.
  • Random svchost.exe errors.

“Prevention is better than cure.” What you need to know and do.

1. If you happen to have installed the patch ( through “Microsoft Security Bulletin MS08-067 Critical” update) before Conficker came out (late in December 2008) then you were protected and still are. If you haven’t, then you must install any of the latest or critical security update found on www.windowsupdate.com. Although Windows Vista is technically vulnerable, the exploit is almost impossible to execute so that makes Conficker basically an XP problem.

2. As mentioned earlier, Conficker spreads through network shares however, a good anti-malware can detect it at such an early stage.

3. While Conficker can spread through network shares, it makes weak passwords susceptible as the worm executes a “dictionary attack”. So if you find some executables on such drives, report it and better contact the network admin. Other than that, utilize strong or even complex password combination which include letters, numbers, and punctuations.

4. Conficker can spread itself through removable drives like USB drives so be vigilant. At least at this point, again, a good anti-malware program can help.

5. Conficker has a high profile as a malware does. While a good anti-malware software is not at all perfect though has high success rate, an updated anti-virus software is intangible.

6. The inability of Windows and anti-malware programs to update themselves is just part of Conficker worm infection. In oder to avoid this, keep track of these programs and your Windows more often to ensure that they do and never leave any update uninstalled.

7. Secure yourself of a free Conficker/Downadup Cleaning Tool like the one’s listed.

* McAfee Stinger

* ESet EConfickerRemover

* Symantec W32.Downadup Removal Tool

* F-Secure F-Downadup, FSMRT, more tools

* BitDefender single PC and network removal tools

* Kaspersky KKiller

* Trend Micro

(If you use any one of the tools above to remove Conficker, immediately install the MS08-067 patch afterwards.)

* BitDefender

* Symantec

downadup scanning ip addresses

Reference Links:

F-Secure Downadup information
Windows MS08-067 Patch
Worm:Win32/Conficker.B information from Microsoft
Conficker/Downadup Worm Dubbed ‘Epidemic’

Update:  13 April 2009

While there are many information online that provides valuable resource about Conficker, one of the method that is currently increasing attention today is through the use of the Conficker Eye Chart. However, it is still recommended to follow the tips mentioned on this post.

Google admits error having tagged the entire web as Malware

February 3, 2009 | By | 3 Replies More

Reading time: 2 – 2 minutes

Last Saturday around 10:30AM CST, when I was browsing the internet doing some searches, every search result coming from Google was tagged as malware with the phrase “This site may harm your computer”.

Fascinated and alarmed, I tried to change browsers from Firefox into IE but nothing changed. My Sparky toolbar kept on redirecting my search to a security warning page which makes me more concerned as this was not normal.

Based on my reading, while Google was updating their lists of flagged sites(as they normally do with StopBadware.org, a non-profit organization helping them in developing the criteria for their list) a “/” was mistakenly checked in as a value to the file and “/” expands to all URLs. However, Google’s reliability team was able to detect the human-made error and successfully reverted the file. The problem lasted for about 40 mins.

Google explained that the error resulting from a DDOS attack did not come from StopBadware.org as they had claimed full responsibility on the mistake and extended an apology to the public for the inconvenience.

Security threat: Malware on latest BarackObama.com Campaign

January 29, 2009 | By | Reply More

Reading time: 1 – 2 minutes

Websense has detected several malicious hackers registered under multiple bogus user accounts on My.BarackObama.com. (an online community for citizens supporting President Obama).
The website with its social-networking capability makes it possible for users to create accounts, join in groups, raise funds and create a blog.

In the Obama campaign, these malicious hackers created blogs on My.BarackObama.com with a fake YouTube image, enticing visitors to “Click here to see movie”, once the video is clicked, a porn video is uploaded and playing the video will result into a .exe file download which instructs a user to download the file in order to view the video.

Campaign perpetrators are boosting their visibility by injecting blog links into other blog comments especially on high profile sites like My.BarackObama.com.

So, don’t get caught into this trap. Be vigilant in clicking links as always and as it usually is, you can’t trust all you see on the internet.

Israel-Hamas Malware is in your spam!

January 14, 2009 | By | 6 Replies More

Reading time: 2 – 2 minutes

I came across a rather new and interesting news as I was trying to search for relevant information to post on this blog. Just as relevant as the war in Israel, a malware attack is in rampage and is circulating through unsolicited emails which claims to be from CNN news.

The email is said to contain news about the bombing in Gaza which contains a link of the graphic video of Al Jazeera English Report. Clicking the link brings the user to a fake CNN page with a video on it. Starting the video gives a dialog box advising to “Please Download the correct Flash Media Player!” Clicking OK starts a download of the malicious file Adobe_Player10.exe, which Trend Micro detects as TROJ_DLOADR.QK.

Trend Micro has reports on this latest malware attack found in emails.

The malware is a “downloader” which then downloads and installs other malware, TROJ_INJECT.ZZ. The latter is an info-stealer that logs keystrokes and launches a sniffer to retrieve passwords from network packets. It then uploads the gathered data to several URLs. It also drops a rootkit component detected as TROJ_ROOTKIT.FX.”

We remind everyone to beware of this malware and be vigilant in clicking links from your spam mailings.

The Fight Against Spam

December 23, 2008 | By | 1 Reply More

Reading time: 2 – 2 minutes

Most of the time whenever I open my email, I usually come across some unsolicited messages flooding in my inbox folder. I sometimes try to open at least one of them out of curiosity but what exactly fascinates me is how did these emails penetrate the spam filter when in fact, it had already been it setup.

A spam is an electronic message that is indiscriminately sent and normally comes in bulk. The act of doing it is called spamming which can be attributed in many forms of media while a spammer refers to a person or an entity doing the act.

According to some advertisers, spamming is economically viable in enhancing their marketing campaigns, reduce cost and enhance profitability. No wonder why most spams include advertisements of all sort but unknowingly driving potential customers away.

The advent of anti-spam software in the market made it convenient for email users to manage their messages.

Some software can track more than 98% of incoming spam mails with the use of Link Filters that tracks incoming bulk mails from spam sites with the aid of a DCC-Filter which connects with the DCC-Network to recognize unsolicited bulk mail. It supports the most common POP3 and IMAP accounts and is securely connected with SSL/TLS.

Email client, such as Outlook2000/XP/2003/Express, Eudora, Mozilla Thunderbird among others are supported.

The added function of an anti-spam software is its user-friendly interface allowing users to organize contacts listing.

True enough, we can fight spam as software developers keep on updating their products and developing software in their hope to beat spam.